Slapper Worm

Welcome to Security Alerts, an overview of recent Unix and open source
security advisories.

In this column, we look at the Linux Slapper
worm; a large set of vulnerabilities in NetBSD; and problems in
libX11.so, OS X's nidump, DB4Web, joe, BRU Workstation, xbreaky, and Tru64/OSF1 version 3.x.

A network worm written to attack Linux machines running Apache is
spreading. The worm uses vulnerabilities in the OpenSSL library (see
below), used by mod_ssl, to spread. After breaking into a machine using
the vulnerability in OpenSSL, the worm installs a distributed denial-of-service attack client on the machine and then starts to scan for other
vulnerable systems.

There are four buffer overflows in the OpenSSL library that can be
remotely exploited to execute arbitrary code or used in a denial-of-service attack against the application linked to the library.

Users should upgrade their OpenSSL library to version 0.9.6e or newer
as soon as possible.

The libX11.so library can, under some conditions, be manipulated into
opening user-controlled libraries while executing a set user id
application. Under some circumstances, this can be exploited to gain
additional privileges.

It is recommended that users upgrade to a repaired version of the
libX11.so library as soon as possible. SuSE has released a new xf86
package that repairs this problem.

Three buffer overflows have been reported that affect applications
distributed with Tru64/OSF1 version 3.x. The buffer overflows are in
uucp, the mail utility inc, and dxterm. They are reported to be
exploitable by local attackers to gain root level access.

HP recommends that all users upgrade to Tru64 Unix V5.1 and apply all
of the recommended patches. Removing the set user id bits from these three
applications will protect against an attack, but will cause problems in
their operation.

The OS X nidump utility is reported to be usable by any user to
get a listing of the encrypted passwords on the system. The user
could then attempt to brute force the passwords using a password
cracking tool.

Affected users can change the permissions on the nidump utility so that a
restricted set of users are the only ones able to use it (perhaps just
root).

IBM's DB4Web product can be manipulated into making arbitrary TCP/IP
connections and may, under some circumstances, be used as a port
scanner. When DB4Web connects to an improper host and port, it
generates an error page that, in addition to other information, tells if
the connection was made or not.

Users of DB4Web should modify the default error page in such a way
that it is no longer useful as a port scanner.

In addition, the DB4Web product can be exploited to view arbitrary
files on the host.

IBM has released a patch for this problem and recommends that users
apply it as soon as possible.

When a file that has the set user id bit set in its permissions is
edited with joe, a backup copy will be made that has the same
permissions but is owned by the user executing joe. It is hard to see
this as being a very large problem, unless it is combined with a successful
social engineering attack on a system that allows set user id shell
scripts. It does, however, illustrate one of the harder parts of writing
secure code: thinking of everything.

This problem has been repaired in joe's CVS repository and concerned
users should upgrade.

The NetBSD Security Officer has announced a large number of
security vulnerabilities that have been fixed in NetBSD 1.6.

These security problems include: there is a buffer overrun in the
libc/libresolv DNS resolver; repeated TIOCSCTTY ioctl can corrupt
session hold counts; there are multiple vulnerabilities in the OpenSSL code; there is a
symlink race in pppd; the Sun RPC XDR decoder contains a buffer overflow; there is a
buffer overrun in setlocale; there is a bug in the NFS server code that allows
remote denial of service; there is a fd_set overrun in both mbone tools and pppd;
shutdown on a TCP socket does not work as intended; and there multiple
security issues with kfd daemon. They also state that there are
security problems that are fixed in NetBSD 1.6 that have not been
announced that "involve third parties, and are awaiting disclosure
co-ordination."

The NetBSD Security Officer recommends that users upgrade to NetBSD
1.6. Users who cannot upgrade should upgrade to the current
NetBSD-1.5 source, using anoncvs, and then rebuild. Users of
NetBSD-current should upgrade to a version newer that September 11,
2002 and then rebuild. Once the system has been upgrade users must:
recompile all statically linked binaries, remove old shared libraries,
remove shared libraries used for OS emulation under /emul, and insure
that a vulnerable version of kfd is not installed on the system. More
details on these problems and their solutions are available from http://www.netbsd.org/Security/.

BRU Workstation, a backup and restore tool, is vulnerable to a
symbolic-link race condition that can be used to overwrite arbitrary
files on the system, and can be used to gain root permissions under
some conditions.

xbreaky is a Breakout-style game written for X11. It is reported to
be installed set user id root by default. If users run the game with
root permissions, they can exploit the saving of high scores to overwrite
any file on the system. Under OpenBSD and NetBSD, the game is reported
to be installed without the set user id bit set.

It is recommended that affected users upgrade to version 0.0.5 of
xbreaky as soon as possible, or remove the set user id bit.